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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
Survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


[| Yes 


K No 


Q2 If not, please specify where improvements could be made. 


Overall, we consider that the document is inaccessible: it is over-long 
and confusingly arranged. We are concerned that readers will find it off- 
putting and it may therefore fail in its objective to support appropriate 
sharing of personal data. We consider that as law enforcement 
processing is very much a niche activity the code could be simplified by 
having law enforcement data sharing covered in a separate document. 
Similarly, it may be helpful to provide separate guidance for public and 
private sector organisations. 


In our view the Guidance mixes up the requirements where sharing 
takes place between ‘controllers in common/separate controllers’ and 
joint controllers. This is confusing: there should be a separate section 
for joint controllers. 


We also note that there is a section on data ethics and data trusts but it 
is not clear why these are deal with together as no clear connection is 
made between them. 
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See further comments below. 


Q3 Does the draft code cover the right issues about data sharing? 
[|] Yes 


K No 


Q4_—siIf no, what other issues would you like to be covered in it? 


Overall, we consider that there is too much focus in the draft guidance 
on public sector sharing and not enough on what private 
sector/commercial organisations should be thinking about. (See, eg the 
“real life examples” on page 17, only one of which refers to non-public 
sector sharing and that example is arguably more likely to be a 
controller/processor relationship than a controller/controller one.) 
Indeed, it may be preferable for the ICO to consider publishing guidance 
for non-public sector organisations. 


We also note the recent decisions about websites being joint controllers 
with social media platforms (Fashion ID GmbH & Co. KG v 
Verbraucherzentrale NRW eV (Case C-40/17)). This type of data sharing 
also need to be addressed. 


Finally, we consider that the guidance could be clearer about what 
Sharing is not covered, ie sharing with a data processor. This area is 
confusing and again the explanation would be bolstered by examples. 


Q5 Does the draft code contain the right level of detail? 
LI Yes 


K No 


Q6_siIf no, in what areas should there be more detail within the draft 
code? 
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See comments in response to question 4 above. 


We are concerned that there is little mention of exceptions and 
exemptions in the guidance which would allow data to be shared in 
certain circumstances where compliance with some of the DPPs is not 
required. This appears to us to be a significant omission as much of the 
day-to-day sharing that takes place is based on those exceptions and 
exemptions. 


We also consider that the section on mergers and acquisitions is too 
brief. In particular, it should cover how to share personal data in 
advance of a merger happening; we are aware that this is an issue 
which lawyers commonly encounter. 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 


[1 Yes 


K No 


Q8__siIf no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


The transparency requirements can adequately be dealt with on a 
collective basis where parties to a data sharing agreement agree to 
collective privacy statements covering all parties to the agreement. This 
makes for a more efficient process and one which avoids data subjects 
being bombarded with multiple privacy statements relating to the same 
activity. However, the code does not address this. 


The code makes references to consent throughout, without recognising 


that much data sharing takes place under other legal bases. 


In the section on individual rights, the part relating to rights in terms of 
law enforcement processing notes that there are exemptions and 
restrictions applicable. There are also exemptions and restrictions in 
terms of GDPR individual rights but these are not signposted in the 
same way. 
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Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


[| Yes 


K No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


In the political party section, we note the reference to sharing data with 
an organisation that sends out campaign material; in our view this is a 
controller to processor arrangement but it does not seem to be treated 
as such in the guidance as it is mentioned separately. It might be 
clearer to merely use this scenario as an illustrative example within one 
of the standard sections to make it clearer that the general guidance 
applies in a party-political context also. 


In the security section, we note that information security covers 
confidentiality, integrity and availability of information but the narrative 
is almost exclusively in relation to confidentiality. We also note that 
security must cover data at rest, data in motion and data in use. Again, 


the code only covers data in use. In our experience a good data sharing 
agreement will cover all of these parameters and is a useful place to set 
out practical matters such as the agreed secure method by which data 
will actually be exchanged. 


A number of the case studies quoted are actually examples of bad 
practice rather than good. For example, the case study on page 35 
identifies an example where things went wrong but does not give 
practical advice as to how relevant parts of data could have been shared 
in an appropriate manner in the same scenario. Likewise, the example 
on page 63 identifies a case of the police asking for excess information. 
We consider it would be more helpful to focus on good practice as an 
informative model for those seeking to comply. 


Qili Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


[| Yes 


K No 
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Q12 If no, in what way does the draft code fail to strike this balance? 


Overall we consider that the code if reasonably balanced but there could 
perhaps be greater focus on the benefits of data sharing. 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


[| Yes 


K No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


As noted above, the majority of the examples are public sector-based. 
As suggested in response to Q4, it may be helpful to consider a 
separate code for private sector organisations but if not it would be 
helpful if the examples covered a broader range of scenarios to assist 
non-public-sector organisations. 


The section on sharing in urgent situations is a welcome addition, 
although we think it would benefit from inclusion of a warning that 
people may use the existence of a major incident as an opportunity to 
try and obtain information unlawfully. The existence of an urgent 
situation should not remove the need for at least some sort of validation 
check before releasing sensitive information. 


Q15 To what extent do you agree that the draft code is clear and easy 
to understand? 


O Strongly agree 
[|] Agree 
L 


Neither agree nor disagree 


Xl 


Disagree 


L 


Strongly disagree 


Q16 Are you answering as: 
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L] An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


O An individual acting in a professional capacity 
On behalf of an organisation 
O Other 


Please specify the name of your organisation: 


The Law Society of Scotland 


Thank you for taking the time to share your views and experience. 


